In terms of cloud security policy, where should we draw the line with transparency? How much should we divulge?
The policies, procedures, standards and controls should be clear, but you don't need to divulge the actual technologies used. How you report adherence to these policies needs to be thorough, however. A good cloud security policy should give customers access to historical data on performance, outages and the nature of breaches, as well as the remediation actions, if any, the provider has taken to mitigate or prevent similar problems in the future. You should also divulge the hiring practices of personnel and what background checks are conducted. For example, customers will want to know: Are background checks only conducted during the hiring process, or are they also conducted regularly during employment? Are the employees required to sign a non-disclosure agreement during and after the employment?
Dig Deeper on Managed security for the cloud
Related Q&A from Mooney Sherman
Cloud providers must cover security, access control and restoration time when negotiating DRaaS SLAs with customers, says cloud expert Mooney Sherman. Continue Reading
Crafting an SLA for DR in the cloud requires providers to address several issues up front with customers, according to cloud expert Mooney Sherman. Continue Reading
Cloud expert Mooney Sherman offers tips on how to evaluate various security architectures to provide optimal sensitive data protection in the cloud. Continue Reading